Cybersecurity isn’t easy, but simple principles still apply. Accountability is one, cooperation another. They are the cornerstones of security and resilience in any society. In furtherance of both, and after careful investigation, the U.S. today publicly attributes the massive “WannaCry” cyberattack to North Korea.

The attack spread indiscriminately across the world in May. It encrypted and rendered useless hundreds of thousands of computers in hospitals, schools, businesses and homes. While victims received ransom demands, paying did not unlock their computers. It was cowardly, costly and careless. The attack was widespread and cost billions, and North Korea is directly responsible.

We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree. The United Kingdom attributes the attack to North Korea, and Microsoft traced the attack to cyber affiliates of the North Korean government.

While it's nice to hear this is "based on evidence" and that a "careful investigation" was performed, the op-ed piece still raises questions. Attribution is always difficult, but there seems to be info missing.

Wannacry was ransomware, but nowhere in Bossert's piece is there any indication North Korea turned a profit. The article says Wanncry "cost" billions, but it doesn't say anything about North Korea suddenly being awash in illicitly-obtained cash.

Also glossed over in Bossert's tough-talking attribution announcement/cybersecurity muscle flexing is the original source of the Wannacry ransomware: purloined NSA exploits. There are all kinds of problems with Bossert's announcement, as Marcy Wheeler points out:

A representative of the government whose tools created this attack, said this without irony.

The U.S. must lead this effort, rallying allies and responsible tech companies throughout the free world to increase the security and resilience of the internet.

And the guy whose boss has, twice in the last week, made googly eyes at Vladimir Putin said this as if he could do so credibly.

As we make the internet safer, we will continue to hold accountable those who harm or threaten us, whether they act alone or on behalf of criminal organizations or hostile nations.

None of this necessarily adds up to the US government pinning the attacks on the wrong entity, but given the pedigree of the mouthpiece and the administration's desire to minimize reports of Russian government-directed cyberattacks, pinning this on the President's favorite Twitter punching bag (MSM notwithstanding) seems more convenient than accurate.

Even if it's 100% accurate, there had to have been better ways to deliver this news than with a threat of actual, physical war appended. Bossert's piece -- after glossing over the NSA's inadvertent contribution to the worldwide ransomware attack and throwing some shade at the previous administration -- wraps everything up with this:

As for North Korea, it continues to threaten America, Europe and the rest of the world—and not just with its nuclear aspirations. It is increasingly using cyberattacks to fund its reckless behavior and cause disruption across the world. Mr. Trump has already pulled many levers of pressure to address North Korea’s unacceptable nuclear and missile developments, and we will continue to use our maximum pressure strategy to curb Pyongyang’s ability to mount attacks, cyber or otherwise.

Using cyberattacks as an excuse for IRL attacks is a scary idea. The Trump Administration seems willing to draw down on North Korea at any moment, which isn't good news for anyone anywhere in the world. And it follows the newly-minted tradition established by the Obama Administration: mixing and matching war metaphors to treat cyberattacks like Pearl Harbor.

from the countering-violent-extremism dept

There's been a lot of debate over the past few years about forcing internet platforms -- YouTube, Facebook and Twitter, mainly -- to respond to terrorists (oddly only Muslim terrorists) using those platforms for propaganda and agitation by taking down that content. It's often been discussed under the banner of "countering violent extremism" or CVE. These days, those and other platforms tend to have large staffs reviewing videos, and especially quickly pulling down videos of ISIS promoters calling for attacks on America and Europe. And, in some countries it's now required by law that internet platforms remove such content. And you can certainly understand the gut reaction here: someone calling you evil and encouraging attacks on you is seriously unnerving.

One of the points that we make about this, though, is that while many, many people think it's "easy" to determine which content is "good" and which content is "bad," it's not. The areas of gray are vast and murky. One example we pointed to is that when YouTube was first pressured into taking down terrorist propaganda videos, it resulted in YouTube killing a channel that was documenting atrocities in Syria. Understanding the difference between promoting violence and documenting violence is not easy.

And here's another example. You may have seen the following news clip floating around, involving a Trump-connected Pastor named Robert Jeffress explaining on a news program why the Bible says it's okay to assassinate Kim Jong Un and go to war with North Korea.

That video clip is all over the news this week and can be found all over the internet. The copy I'm posting above is from Twitter, but I'm sure it can be found elsewhere as well. But what if, instead of an evangelical pastor, that statement were coming from a Muslim cleric, and instead of North Korea and Kim Jong Un it talked about America and Donald Trump? Would it still be all over social media, or would people be demanding that the internet take it down?

And this question applies no matter what you think of the video above. I'm not making a statement one way or the other on the content of it, even if I have an opinion about that. My point is simply that when we demand that platforms pull down "radical" content pushing for "violent extremism," it's really, really difficult to distinguish between the video above and some of what, say, ISIS releases.

This is a point that I think frequently gets lost in these discussions. People think that it's easy to tell what's "bad" because it's easy for them to determine what is bad in their opinion or bad to them. But setting up general rules that scale across an entire platform is almost impossible. And even if you argue that the context of this video is different from my Muslim cleric example, you're only helping to make my point. Because that would mean that anyone reviewing the video to determine if it stays up or down would have to become knowledgeable in the overall context -- which in this case could require understanding centuries of global religious views and conflicts. I'm sorry, but Facebook, YouTube, Twitter and everyone else can't hire thousands of PhDs in all related fields to review these videos (within hours) with the level of understanding and context necessary to make a judgment call on each and every one.

None of this is to say that the platforms need to leave everything up (or take everything down). But if you're going to require platforms to police content, you need to at least recognize that any "rules" on this stuff will lead to rules you don't like. Rules that say a Muslim cleric's call for war on America is not allowed will almost certainly lead to the video above also not being allowed. Maybe some people are comfortable with neither being allowed, but the situation sure gets tricky quickly...

from the failure-to-launch dept

We've had some fun with our North Korean friends around these parts in the past, mostly revolving around the Pyongyang regime's adorable attempts to bolster its already nefarious reputation through its propaganda efforts. While the nation's Orwellian policies are both stark and serious, and it certainly does have troubling weapons in its arsenal, so many of its threats have amounted to bad propaganda devised through the liberal use of video game footage, music and bad attempts at Photoshop. Well, the arms race doesn't end, of course, which is why North Korea is pleased to display its latest weapon: bad attempts at video editing!

Who can help being inspired by the replay-launching of a submarine missile? What with all that heart-thumping music in the background? Now, I can't translate the speech, so I'm not absolutely certain of what is being said, but I'm pretty sure the narrator isn't explaining that, hey, this missile actually blew up in failure, but we cut the video together to make it look like it was super-explode-y successful! And, yet, that's exactly what the analysis done by a California think-tank suggests is the case.

Footage of a North Korean submarine-launched ballistic missile (SLBM) test released by Pyongyang two days after it announced it had conducted the country's fourth nuclear test last week was faked, according to an analysis by a California-based think tank.

"The rocket ejected, began to light, and then failed catastrophically," said Melissa Hanham, a senior research associate at the California-based Middlebury Institute's James Martin Centre for Nonproliferation Studies (CNS).

The CNS analysis shows two frames of video from state media where flames engulf the missile and small parts of its body break away.

"North Korea used heavy video editing to cover over this fact," Hanham said in an email. "They used different camera angles and editing to make it appear that the launch was several continuous launches, but played side by side you can see that it is the same event".

All of this comes on the heels of Pyongyang's announcement that it had successfully tested a more advanced nuclear bomb in recent weeks. That announcement too was met with narrow eyes from analysts and the US government, likely because of North Korea's long-standing fake-it-til-you-make-it weapons policy. The general consensus is still that North Korea isn't capable of fitting its nuclear arsenal, which is quite limited, onto any type of serious missile delivery system.

Which isn't to say that the regime isn't dangerous. It most certainly is, chiefly to its own population and to its southern neighbors, whom it continues to hold hostage in return for aid for its crumbling regime. Just keep all this in mind whenever you hear the hawks talk about how dangerous our enemies are.

from the shop-skillz dept

Whenever our friends in Pyongyang decide to troll the planet with one of their hilariously bad propaganda pieces, it always makes me wonder just how serious the North Korean regime is about this whole war thing. I mean, using video game footage and music to threaten 'Merica? C'mon, son. And those photoshopped photo-ops of your human-chicken-dumpling leader just don't inspire much confidence in the country's technological capabilities. But it's when North Korea combines war and fun-bad photoshopping that the real fun begins.

Experts, it appears, aren't all that impressed with the photo. That was particularly the case when the state-run Pyongyang press circulated other photos of the launch that were complete with columns of smoke from the missile, columns of smoke conspicuously absent from the initial photo that was circulated above.

As Markus Schiller and Robert Schmucker, of Schmucker Technologie, told Reuters, “Considering the track record of North Korean deceptions, it seems sensible to assume that any North Korean SLBM [submarine-launched ballistic missile] capability is still a very long time in the future, if it will ever surface.”

What the column-less photo lacked in smoke, it made up for with weird, poorly placed ocean smudges. That reddish patch of water you see to the left of the missile? That’s supposed to be the rocket’s reflection.

And, so, sadly, the only thing this launch report from North Korea tells us is that they still haven't gotten photoshop down. Oh well. If they ever did get into an actual shooting war again, I suppose they could always just photoshop themselves into some kind of victory pose. Given how often their progress with weapons technology turns out to be non-progress at photo-bullshitting, such a war is probably a remote possibility. Several of the commenters over at Gawker offered to help them out, of course, though this one is probably my favorite.

A $50 portable media player is providing many North Koreans a window to the outside world despite the government's efforts to keep its people isolated -- a symbol of change in one of the world's most repressed societies.

By some estimates, up to half of all urban North Korean households have an easily concealed "notel", a small portable media player used to watch DVDs or content stored on USB sticks that can be easily smuggled into the country and passed hand to hand.

People are exchanging South Korean soaps, pop music, Hollywood films and news programs, all of which are expressly prohibited by the Pyongyang regime, according to North Korean defectors, activists and recent visitors to the isolated country.

The Reuters story reports that the device has become so popular that the North Korean government felt obliged to legalize the "notel" -- but with the requirement that they had to be registered. These versions must be fixed to official state television and radio channels, but the smuggled models are more versatile:

The low-voltage notel differs from the portable DVD players of the late 1990s in that they have USB and SD card ports, and a built-in TV and radio tuner. They can also be charged with a car battery -- an essential piece of household equipment in electricity-scarce North Korea.

The dual media capability means a North Korean DVD can be inserted while watching smuggled, forbidden content from South Korea on a USB stick, which can be quickly removed if the authorities turn up to conduct a check on a household.

A key factor driving the uptake of these new devices is Moore's Law. This has pushed down the price of the components used in the notel box to the point where even North Koreans, with their rising, but still very limited disposable incomes, can afford them. It has increased the capacities of USBs and SD cards such that several film-length videos can be stored on devices that are very easy to hide at short notice. That means it only requires one copy of a South Korean film -- or other, even more subversive material -- to enter North Korea, and it can be copied and passed around on a scale that makes stopping it almost impossible for the authorities. It will be fascinating to watch the social and political ramifications of this silent struggle between tyranny and technology.

from the say-what-now? dept

I should note, upfront, that I've had the chance to meet FCC Commissioner Ajit Pai a couple of times, and always found him to be interesting and knowledgeable, as well as engaged on important issues. Yet, for whatever reason, when it comes to net neutrality issues, the former Verizon lawyer (clue number 1) seems to have gone off the deep end, tossed all logic and intellectual honesty out the window, in an effort to just lash out angrily with whatever he's got. We've talked about his incoherent attack on Netflix and his sudden and newfound love of transparency (never noted before...).

But his latest move just strips whatever credibility he may have had on the subject completely away. He's insisting that the FCC's new net neutrality rules (which he opposes) will inspire North Korea and Iran to further control and censor the internet (which they already control and heavily censor). And he's not arguing this in a "they hate us for our freedom" way, but he's actively lying and claiming that this move -- a move to guarantee openness and not censorship online -- will give the North Korean and Iranian governments the political cover to censor the internet. Let's be frank, Pai's statements are complete nonsense.

“If in the United States we adopt regulations that assert more government control over how the Internet operates ... it becomes a lot more difficult for us to go on the international stage and tell governments: ‘Look, we want you to keep your hands off the internet,’” he said.

“Even if the ideas aren’t completely identical, you can appreciate the optical difficult in trying to make that case," he added.

Except, uh, the "rules" being described are ones that just say "the internet needs to be open and free from interference, censorship and discrimination." I don't see how anyone could legitimately claim this will somehow undermine a message of internet freedom. But watch Pai work himself up into a moral panic over a complete misrepresentation of what's happening:

In the background, meanwhile, countries such as North Korea and Cuba are trying to exact more control of the Internet through an arm of the United Nations called the International Telecommunication Union, he warned.

Nations such as Turkey and China are also enacting new controls in their own countries and “testing the waters to see how much they can get away with,” Pai said.

“I think the U.S.-based system of Internet governance has served us very well and I hope we don’t do anything to jeopardize that in the near future.”

He's right that there are questions about internet governance -- and we've covered the various discussions on that for a while now. But the FCC's rules to protect an open and free internet is not about "internet governance" or Cuba or North Korea censoring the internet at all. It takes a special kind of desperation to try to argue that preserving an open and free internet is actually about telling oppressive authoritarian regimes that it's okay to censor and lock down the internet. No one believes it at all, and it just takes away whatever credibility Pai may have had on the subject.

from the US-Government-steadies-finger,-points dept

Never doubt the power of motion picture studios. The US government is moving ahead with plans to smack around North Korea for the Sony Pictures hack. That this is seemingly based on nothing more than a strong hunch by the FBI doesn't seem to matter. The wheels are rolling and the scapegoat will be properly chastised.

Symbolic actions and symbolic words are being handed down by the administration, under the unlikely moniker of "a proportionate response." Sanctions are being levied against ten North Korean officials, even as other unnamed administration officials admit there's no evidence those named were behind the attacks in any form. Let's all enjoy this quote, which shows the US government is willing to defend the honor of Sony Pictures even at the expense of its own reputation.

“It’s a first step,” one of the officials said. “The administration felt that it had to do something to stay on point. This is certainly not the end for them.”

There you have it. There will be more symbolic stupidity in the future, if only for consistency's sake. The next question is: if the goal is to deliver a knockout blow, how effective are continued head punches when the target has already lost consciousness?

The actions may well turn out to be more symbolic than substantive: North Korea already faces some of the heaviest sanctions of any country.

The North Korean government doesn't really care if more sanctions are handed down. It hasn't made many attempts to ingratiate itself with the US. It is resolutely its own evil empire and appears to be happy being one of the world's villains.

Once you get beyond the futile administrative shouting, there's the reality of the situation: there's really not much evidence pointing to North Korea's involvement in the Sony hack. So, even if the sanctions are effective, they're likely misguided.

The link between the hacking and the North Korean government's public damnation of "The Interview" is extremely tenuous. The hackers behind the attack never linked their actions to the film until after the press did. Additional information points in various directions, but nothing directly at the North Korean government. The evidence the FBI was willing to part with only indicates that the malware used resembles malware used in previous NK hackings -- which is really just saying malware that works well tends to resemble other malware that works well. It's not a smoking gun. It's not even a gun in a safe with the clip removed. It's a finger in a coat pocket -- something that only looks slightly dangerous/damning when hidden, but completely ridiculous when out in the open.

But the US government has decided North Korea is to blame and the North Korean government is only too happy to alternate between evil empire and unfairly besmirched world citizen. The question is: who is the administration scoring points for by pursuing sanctions against an entity that hacked a private corporation? Even if the administration is privy to information that definitively indicates North Korea's involvement, why is it throwing its weight behind an incident that was more embarrassing than damaging? Countless American businesses have been hacked over the past several years, leaving millions of Americans' personal information exposed… and little to no response from the US government. But spring loose a few thousand internal emails dealing with celebrity squabbling, MPAA/state AG collusion and other internal issues, and suddenly, it's time for America to go to (cyber)war.

from the still-pretty-sure dept

After the FBI formally named North Korea as being behind the Sony Hack, a lot of people in the cybersecurity community explained why they didn't find the evidence at all compelling. There was pretty widespread disbelief in the story -- though most admitted that it was possible that the FBI had additional evidence it wasn't sharing. In the past few days, a lot of attention has been paid to a theory coming out of Norse Security, that the attack really came from a group of people (not associated with North Korea) including, in particular, a disgruntled ex-Sony employee. On Monday, the FBI met with Norse to hear what the company had to say, but apparently came away unconvinced. The FBI continues to stand by its assertion that North Korea did it.

Asked about the meeting and criticism on Monday, the FBI declined to comment beyond a prepared statement that they are confident the North Koreans are behind the crippling Thanksgiving attack and there is “no credible information” to suggest otherwise.

Tuesday, a U.S. official familiar with the matter said after the three-hour meeting, law enforcement concluded that the company’s analysis “did not improve the knowledge of the investigation.”

Ouch. Once again, it is entirely possible that the FBI has access to even more information that it has not shared. However, it does seem rather clear at this point that the evidence it has shared publicly is just as unconvincing to cybersecurity experts as the information those security experts have shared is unconvincing to the FBI.

from the and-for-not-giving-his-precious-nsa-your-data dept

Rep. Mike Rogers is just about out of Congress, but the NSA's biggest defender (despite his supposed role in "overseeing" the agency) is using his last days on Capitol Hill to keep pushing his favorite causes. Over the weekend, he complained that President Obama basically should have gone to "cyberwar" with North Korea over the Sony hack.

“Unfortunately, he’s laid out a little of the playbook,” Rogers said. “That press conference should have been here are the actions.” ...

Without discussing specifics, Rogers said the U.S. has the capability to cripple North Korea’s cyberattack capabilities, which have been rapidly improving over the last few years.

“I can tell you we have the capability to make this very difficult for them in the future,” he said.

And I can tell you that Mike Rogers is full of bluster with little basis. First off, there is still some fairly strong skepticism in the actual computer security field that North Korea was behind the hack. Launching an all out attack without more proof would seem premature. Second, Rogers is simply wrong or clueless. We don't have the capability to "cripple" anyone's "cyberattack capabilities" unless he means taking out the entire internet. There are always ways around that. Even the reports that we've seen that do blame North Korea don't seem to think the full attack came from North Korea, so doing something like taking the few internet connections in North Korea off the map wouldn't do much good if the actual attack came from, say, China or Eastern Europe or somewhere else.

Third, can we just get over this ridiculous idea that a hack of one company, which may or may not have been by actors working for a government, is an act of either "terrorism" or "war." It's not. It's a hack. Tons of companies get hacked every day. Some have good security and still get hacked. Some, like Sony, appear to have terrible security and get hacked very easily. It's not terrorism. It's not war. It's a hack. We shouldn't be talking about retaliation or destroying countries over a hack. We should be talking about better security. Jim Harper does a good job explaining why an overreaction is a bad idea:

The greatest risk in all this is that loose talk of terrorism and “cyberwar” lead nations closer to actual war. Having failed to secure its systems, Sony has certainly lost a lot of money and reputation, but for actual damage to life and limb, you ain’t seen nothing like real war. It is not within well-drawn boundaries of U.S. national security interests to avenge wrongs to U.S. subsidiaries of Japanese corporations. Governments in the United States should respond to the Sony hack with nothing more than ordinary policing and diplomacy.

But, no, not Mike Rogers. Instead, he's using this as his opportunity to push for his favorite bad law: giving the NSA more power to sift through your data:

Rogers, who is retiring from Congress in just a few days, made a final plug for his bill to facilitate cybersecurity information sharing between the private sector and National Security Agency (NSA). The measure passed the House, but stalled in the Senate, held up by privacy concerns.

It’s necessary, Rogers argued, if the U.S. wants to protect itself from similar attacks in the future. Because of laws on the books, the NSA is limited in its ability to protect private critical infrastructure networks.

He's talking, of course, about his beloved CISPA, which would effectively remove any liability from companies for sharing your private data with the NSA (and the rest of the government). But, as per usual with Rogers, he's wrong about nearly all of the details. There is nothing in CISPA that would have made it so the NSA could have "protected" Sony. Sony's problem here was Sony's terrible computer security. So, no, we don't need CISPA or other cybersecurity legislation to better protect the internet.

And is Mike Rogers really trying to argue that Sony's private intranet is "critical infrastructure"?

Finally, there's nothing in the law today that stops a company from sharing "malicious source code" with the government or others. We already have a good way for dealing with that that doesn't require a new law that gives the NSA more access to everyone's data.

Either way, it looks like Rogers is going out in typical fashion -- shooting his mouth off in favor of his friends and pet projects, without actually understanding or caring about the details. No wonder he's going into AM talk radio. He'll be a perfect fit.

from the h4x0r! dept

Just this morning, Tim Cushing (aka, Other Tim) wrote about how likely it was that the White House would make a statement today on the Sony hack, naming North Korea as the perpetrator and treating this all like a far bigger deal than they probably should be. However, the FBI beat them to the punch, becoming the first alphabet agency to formally accuse North Korea of being 56th in line in the great 12 year hackathon that's been Sony's corporate networks.

As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:

-Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.

-The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.

-Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

Since the rumors that a formal accusation were on the way first began, the question on everyone's mind has been exactly what evidence would be used to draw that conclusion. As it turns out, based on what the FBI is releasing, it seems fairly thin. Their press release makes it sound like the attacks upon which they're drawing similarities are significantly alike, when a great deal of other reporting indicates that they simply use the same hacking software available on the black market and are routing through some locations known for their use by hackers. The similarity between the Sony attack and the attack on South Korea has more to do with the above plus the timing. The accusation that the hacks used were directly developed by North Korea are interesting, but meaningless without actual evidence. Simply saying it doesn't make it so.

Regardless, even if North Korea does prove to have been responsible, there's no excuse for saying things like:

North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States. Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves.

While I'm generally loathe to blame a victim, when that victim takes so lax an attitude toward its own security as to be hacked roughly five times a year and still not bother to implement basic password policies, what else am I supposed to do? This doesn't show the grave, mega-scary, super-threat of cyber-terrorism. It shows that Sony has some exceptionally lazy security and IT people. As for the attack posing a threat to a freedom of expression, well, we have Sony's cowardice and the cowardice of the theater chains for that. It's unbelievable that companies operating within the American system should self-censor this way. It's surrender of the mind and the thought. It's the same thing as the Danish cartoons and Salman Rushdie. Sony and the theaters are allowed to self-censor and to deprive the American people of the movie, but that doesn't make it okay.

You should expect to see the White House touting the FBI's report as gospel and to rattle several sabers in the direction of Pyongyang, for all the good it will do. Giving in to a regime that can't manage to feed its own people seems like a mistake to me, but what do I know?

Update: And, almost as this post was finished being written, President Obama appeared before the press to condemn the attacks. He also indicated that it was the wrong move for Sony to censor the movie. In fact, he suggested that Sony should have consulted with the administration to assess the threat. Both comments, of course, are quite easy to make now that it's Friday and the decision cannot be reversed.